ChoicePoint, the background check company that allowed personal data on 163,000 people to be stolen by hackers two years ago, has advice for anyone wanting to avoid a similar embarrassment.
Since the 2005 attack, the company has transformed itself into what one analyst called a "role model" in data security and privacy. ChoicePoint's CIO explained how it recovered and offered lessons for other enterprises that handle sensitive data.
Too often, simple mistakes are the cause of data breaches, said Darryl Lemecha, CIO and senior vice president of shared services at ChoicePoint. Listing a person's Social Security number on a mailing address label, or not encrypting data on a laptop that is later stolen or lost, have left some companies wishing they had thought more about security, he said.
"Encrypt all your laptops," Lemecha, speaking at the IDC IT Forum & Expo, said; "Because they're going to get lost, they're going to get stolen. And make sure all your handheld devices have passwords on them and you have the ability to do a remote wipe [of data]."
In 2005, the records of 163,000 consumers were compromised after criminals pretending to be legitimate ChoicePoint customers sought details about individuals listed in the company's database. ChoicePoint agreed to pay $10 million in civil penalties and $5 million for consumer redress. The company, which recently reached a separate settlement with 43 states over the breach, also decided to limit the sale of information containing sensitive consumer data, including Social Security and driver's licence numbers.
In doing so, ChoicePoint walked away from what was a more than $15 million business serving small and mid-sized accounts, but the company felt it could not sufficiently validate the credentials of those customers in a cost-efficient manner, Lemecha said.
After the data breach, ChoicePoint worked backwards to determine the credentials of every one of its customers, he said. "The truth is, we assume every piece of information a customer provides us in the credentialling process is potentially fraudulent, and we validate it against other sources," Lemecha said.
ChoicePoint has been subjected to more than 80 external audits over the past 24 months, he said.
In April, Gartner analyst Avivah Litan told USA Today that "ChoicePoint transformed itself from a poster child of data breaches to a role model for data security and privacy practices."
Lemecha offered a five-step plan to CIOs looking to shore up their data security and privacy systems, based on what ChoicePoint has done.
The first step is governance. ChoicePoint has a chief privacy officer who reports direct to a board that governs privacy and public responsibility, bypassing the rest of the corporate structure, he said. This board is briefed quarterly on progress, and several other committees take on more specific oversight roles. Beyond committees, ChoicePoint has a number of divisions tackling privacy and security from different angles, such as a corporate credentials centre, a compliance and privacy division, and internal auditing.
"From an execution perspective, don't expect a single group to be able to do it all," Lemecha said. "If you want to do something really simple, take a look at your organisation, figure out where all the security functions occur, and lay out an accountability and responsibility chart, just a simple diagram."
The second step is to clearly define expected behaviour and provide tools to employees to simplify compliance. ChoicePoint instituted a number of practices to monitor potentially fraudulent customer behaviour, such as investigating companies that suddenly increase the number of background checks they run by a large margin, he said.
Third, a company should write information security breach response policies and procedures, spelling out who should be notified in case of a breach and what the company should do for affected customers.
After ChoicePoint's breach, the company offered free credit monitoring, credit reports and identity-theft insurance to the victims.
Fourth, determine the credentials of people you work with and those who work for you.
Lemecha recommended performing background checks on employees on an ongoing basis, rather than just doing one at the time of hire. "If you only check them at the beginning, you'll never know what's happened in between," he said.
The last step Lemecha recommended is embracing openness. ChoicePoint developed a website detailing the steps it takes to protect privacy, and developed another site that lets consumers find out what information ChoicePoint maintains about them in its files - if they can sufficiently authenticate their identities, of course.
Until ChoicePoint's data breach, "we felt we were as good as anyone else in the industry," Lemecha said. "But now we feel we really are world-class in terms of our policies, procedures and practices. That was a leap that got taken in really an 18- to 24-month period. It's a very short time and it took work from a lot of people."